You can configure the BES to be permissive. For example you can allow users to not have a password on the device. I haven't seen the ability to prevent users from setting a password, or prevent them from enabling content protection, if that is what you mean.